Hear that? It's the sound of BadBIOS wannabe chatting over air gaps

LANs-free prototype mimics notorious rootkit

Computer scientists have brewed up prototype malware that's capable of communicating across air gaps using inaudible sounds.

The mesh network capable of covertly communicating without wireless or wired connections was developed by Michael Hanspach and Michael Goetz. It borrows its founding principles from established systems for robust underwater communication.

In the system, communications could be maintained over multiple hops for purposes including managing malware-infected machines, as the abstract of a paper for a recent edition of the Journal of Communications explains. The researchers go on to outline possible countermeasures against such fiendish malware, including shielding systems from exposure to high frequency sounds.

Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.

The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilising the near ultrasonic frequency range.

We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.

Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analysing audio input and output in order to detect any irregularities.

The two German researchers explain how their proof-of-concept malicious code can use a computer’s built-in sound card, speakers and microphone as sending and receiving devices to move information from one infected node to another in similarly compromised machines, providing bot systems are within 20 metres of each other.

They continue:

Two computers that are not connected to each other via established types of network interfaces (e.g. IEEE 802.3 Ethernet [2] or IEEE 802.11 WLAN [3]) or that are prohibited from communicating with each other over these established types of network interfaces are, nevertheless, able to communicate with each other by using their audio input and output devices (microphones and speakers).

A painfully slow speed of just 20 bps was achieved using the method but nonetheless it might be workable for a keylogger, providing there's no external interference.

The possibility of malware that can communicate over air-gapped machines, or worse still, spread onto them, is a nightmare scenario for those in charge of otherwise well designed ultra-secure networks (think some military systems, power plants etc). Why? Because a "covert acoustical mesh network" wouldn't respond to any of the well-established security measures typically taken by organisations, and disabling the audio components is not always feasible.

The type of malware outlined by the researchers bears an uncanny resemblance to features of the BadBIOS malware said to have afflicted machines run by computer security researcher Dragos Ruiu.

Dubbed BadBIOS, the mysterious rootkit can supposedly jump over air gaps, screw with a number of different operating systems, and even survive motherboard firmware rewrites. Ruiu (AKA @dragosr) – who organises the annual popular Pwn2Own hacking contest at the CanSecWest conference – said he had come across the malware after it infected his computers but nobody else has seen it. The Register asked Ruiu about his progress in looking into BadBIOS on Tuesday but have yet to hear back.

Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it's possible for malware-infected machines to chat to each other across an air gap. But he's far from convinced any infection is possible via the method. He suggests it is far more practical to attempt to use an infected USB stick for a targeted attack against an air-gapped network, the presumed method the ultra sophisticated Flame cyber-munition used to spread. Flame was reportedly cooked up under the same US-Israeli Operation Olympic Games programme that spawned Stuxnet.

"My theory is that this technology could be used to provide targeted malware a means of external communication for contact with a command and control server," Kujawa writes in a blog post. "The infected system would receive commands from the server and assuming that the initial infection on the covert system was via USB drive, perhaps the malware could store stolen data on the USB.

"That data would be sent out later once the USB is able to plugged into an outward facing system. This is similar to how Flame worked when extracting sensitive data from closed-off networks," he added. ®